The Trouble with NAT(Or why I care about IPv6)

Mark Smithmarkzzzsmith@gmail.com@markzzzsmith

AusNOG Conference2016

A Sad Story from 1996

Couldn't NAT this!

On Being a Network Operator

Application

Transport

Internet

Link

Application

Transport

Internet

Link

Internet Internet

host-to-host

Link Link

Fiber, Satellite,

etc.Ethernet

Data Flow

Ethernet

process-to-process

https://commons.wikimedia.org/wiki/File:IP_stack_connections.svg, Author: Kbrose, Permission: GDFL

NetworkHost Host

Application Application

Network

Network Operators

Network Vendors

Hosts

Applications

End-Users

Supports

Depends

Network

Network Operators

Network Vendors

Hosts

Applications

End-Users

Supports

Depends

Us

Our Customers

Our Mission

Or,

Network Critical Success Factors(NCSFs)

Available

https://flic.kr/p/81SRQG; Author: Daniel Weir; No Mods; Lic:CC BY-NC 2.0

Applications

End-Users

Network Availability

Requirements

Packets sent by Hosts should have

a good Probability of Arriving at the destination Host

within an Acceptable Timeframe.

http://ccr.sigcomm.org/archive/1995/jan95/ccr-9501-clark.pdf

NetworkHost Host

Application Application

> 99/100 packets delivered

Scalable

https://flic.kr/p/aAu2Py

Scaling DimensionsNetwork Elements (Routers / Switches)

Links

Network Capacity

Hosts

Geographic Sites

Vertical Scaling

● “Scaling Up”

● Need to replace existing capacitywhile adding new capacity

● Using a bigger hammer!

Horizontal Scaling

● “Scaling Out”

● Adding new capacity toexisting capacity

● No capacity replacement!

● Divide-and-conquer!

+ +

Applications

End-Users

Scalable Network

Inherent requirement

Adequately Performing

Adequate network:

Throughput

Latency

Packet Delivery Success

Packet Order

Applications

End-Users

NetworkPerformance

Requirements

Constrained by Budget

https://flic.kr/p/akxao3

Applications

End-Users

Network Budget

Budget Constraints

AvailableScalable

AdequatelyPerforming

Budget

https://flic.kr/p/8a9uyV; Author: ph-stop; No Mods; Lic: CC BY-SA 2.0

Available >Scalable >

Performance?

Performance means nothingif you crash!

The Trouble with NAT

Basic NAT –one:one address translation

Network Address Port Translation (NAPT) –many:one address translation

RFC2663

“NAT”

RFC791

RFC793

RFC959

NAT Impact #1 – Packet Modification

- Fails to understand Transport Layer Protocol (TLP).

- Fails to understand Application Layer Protocol (ALP).

- Can't see TLP and/or ALP due to encryption.

- Receiver considers modifications to be an MITM attack.

Any of Above may result in the Packet being Dropped.

NCSF: Availability IMPACT.

NAT

NAT Impact #2 – State / Loss of State

- Traffic driven state means vulnerable to State Exhaustion Denial of Service attack.

- Loss of State due to device Failure means Application Sessions can fail even if there is an alternate Network Path.

- State Synchronisation between redundant NAT devices can be Expensive if devices are Geographically Diverse e.g., different racks, different DCs

NCSF: Availability IMPACT.

NCSF: Budget IMPACT.

NAT NAT

(After 3rd Party Host setup)

3rd Party Host

Games, Instant Messaging, Voice/Video Conferencing

NAT Impact #3 – 3rd Party Host Required

- Applications that suit Direct Communication are forced to use a 3rd Party Host

- 3rd Party Host acts as a Relay for All Traffic or is involved in setting up Direct NAT-to-NAT path.

- 3rd Party Host may be relied on (relay), perform well (relay) and must be Trusted.

NCSF: Availability IMPACT.

NCSF: Performance IMPACT.

NAT NAT

(After 3rd Party Host setup)

Server

Games, Instant Messaging, Voice/Video Conferencing

Client/ServerApplication Architecture

Client Client

Games, Instant Messaging, Voice/Video Conferencing

Peer-to-PeerApplication Architecture

Peer Peer

+ +

Client/Server Architectures Peer-to-Peer Architectures

What is the Nature of the Internet Protocols?

Client/Server?

IPv4

[mark@x13 RFCs]$ egrep -i "(Client|Server)" rfc791.txt

[mark@x13 RFCs]$

IPv6

[mark@x13 RFCs]$ egrep -i "(Client|Server)" rfc2460.txt

[mark@x13 RFCs]$

Peer-to-Peer, just like People!

https://flic.kr/p/9PiRpm

Being a Peer

A device with an IP address should be able to:

Send Packets to and receive Packets from All other devices with IP addresses attached to the Same Network, Security Permitting.

Use its own IP address to Identify itself to Others when Referring to itself.

2001:db8:aaaa:1:23eb:af8e:633e:c7fd

2001:db8:8888:cafe:9ae9:f737:58e7:f5bf2

2001:db8:aaaa:abcf:ee36:6257:a09b:31e3 2001:db8:1234:dead:fb3d:071b:bc6a:10fe

2001:db8:fef8:fef8:a446:168c:0c0f:7250

2001:db8:4564:1432:bc29:0f26:436e:bd15

2001:db8:9999:1:422e:4919:dac1:15702001:db8:9999:2:5193:4162:0ebb:2a0d

NetworkHost Host

Application Application

Remember This?

The Fundamental Constraint of NAT is that it Prevents IP nodes attached to the same network

from Acting as Peers of each Other.

IPv6 without NAT

FAQ: RenumberingIPv6 formally supports multiple concurrent addresses on each interface and addresses lifetimes.

Use Unique Local Addresses (RFC4193) for internal or local traffic, Global prefix(es) for external Internet access.

ULA prefix stays stable and in use during Global renumbering procedure.

Future: Multipath transport protocols e.g., MPTCP, Source Address Dependent Routing (SADR).

FAQ: NAT provides Stateful Firewalling

Stateful Firewalling property of NAT is a side effect of what is necessary to do to perform address translation.

Stateful Firewalling can be performed without address translation (and is, see Linux kernel 'ip6tables' as an example).

FAQ: NAT hides devices

People are really saying, “NAT hides devices from unsolicited inbound address probes”.

Devices are not hidden from other forms of discovery such as HTTP cookies, or addresses and other identifiers that are leaked in other places in protocols.

Network or host stateful or stateless inbound filters can “hide” IPv6 devices, as well as addressing schemes such as IPv6 Temporary/Privacy Addresses and hard to find using probing Stable Opaque (RFC7217) Addresses.

FAQ: NAT Internal Topology Hiding

RFC4864 mentions using host routes for small scale sites and Mobile IPv6 larger ones.

Another option is various forms of tunnelling over IPv4 to make an IPv6 device appear where the tunnelling concentrator is located.

For example, ISATAP (Intra-Site Automatic Tunnel Addressing Protocol) makes IPv6 devices attached to an IPv4 network appear to all come from the same single /64.

Convinced?

Some Further Reading

RFC1627 - “Network 10 Considered Harmful (Some Practices Shouldn't be Codified)”

RFC1958 - “Architectural Principles of the Internet”

RFC2775 - “Internet Transparency”

RFC2993 - “Architectural Implications of NAT”

RFC3439 - “Some Internet Architectural Guidelines and Philosophy”

RFC3879 - “Deprecating Site Local Addresses”

RFC4924 - “Reflections on Internet Transparency”

RFC5902 - “IAB Thoughts on IPv6 Network Address Translation”

Questions?

Thanks for listening.

https://flic.kr/p/dA1sTY; Author:Shara Miller; No Mods; Lic: CC BY-NC-ND 2.0